Eric Dorland wrote:
But I don't think it's good for our users for Debian to have rights
that the user don't have.
Debian already has rights that their users don't have, the most
prominent among them being to label a Linux distribution as "Debian" (or
"official Debian", or whatever it is you guys use). :-)
They do have concerns about the trustability of CAcert certs. I'm
mostly convinced they're no worse than other CA's.
What we have a problem with (in the context of including the cert in
Firefox) is the fact that CAcert haven't been audited, so the risk of
including them is unquantifiable. Please see the CAcert list for recent
discussions on this topic.
Eric Dorland wrote in another thread:
> Will the add the SPI root CA to their root CA list? It's pretty Debian
> specific, so I doubt it.
There are two ways we could go about this. The first is for the MoFo to
have a list of CAs who meet the CA policy[0] in all other ways except
that they are too specific to go into the general Firefox build. These
could then be included by any distributor at will.
The difficulty with that is that currently we don't have time to
evaluate the requests of all the CAs requesting general distribution,
let alone ones we aren't going to include ourselves.
The second is for Debian to show us their policy on how they decide
whether a CA is trustworthy, and we say "yes, taking everything into
account, that policy is OK with us" and then we let you guys get on with
it. But to attempt this, I need to see the policy :-)
Gerv
[0] http://www.hecker.org/mozilla/ca-certificate-policy
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
